A system for using a certificate authority to first provide a customer with a digital certificate, and then having a relying party that receives that digital certificate access a status authority (the certificate authority or its designated agent) to receive a reissued certificate on that certificate. The reissued certificate has a much shorter validity period, which ensures that the information is timely. Moreover, the certificate may serve as a receipt, including an accumulated record of the signatures (digital certificates) and policy applied throughout the financial transaction. As a result, each transfer of the transaction forms a digitally-signed chain of evidence recording each step of the transaction and policy applied thereto, whereby risk may be assumed and charged for appropriately and in accordance with the risk purchaser's policy.
|
14. In a networking environment in which and end entity such as a customer desires to enter into an electronic transaction with a relying party such as a merchant, a method for permitting the relying party to check the status of a certificate of authority previously issued by a certificate authority to the end entity before the relying party enters into the desired electronic transaction requested by the end entity, the method comprising:
receiving at a computing system for the certificate authority or an agent of the certificate authority a query from a relying party's computing system for current status information on a first certificate previously issued by the certificate authority to an end entity, the first certificate having a representation of an issuer name associated with the certificate authority and a subject name associated with the end entity; and
in response to the query, issuing from the certificate authority or the certificate authority's agent a second certificate to the relying party indicating the current status of the first certificate, and the second certificate having a representation of an issuer name that is associated with either the certificate authority or the certificate authority's agent, and the subject name associated with the end entity.
6. In a networking environment in which and end entity such as a customer desires to enter into an electronic transaction with a relying party such as a merchant, a computer-readable medium having computer-executable instructions for implementing at one or more operating environments of the network a method for permitting the relying party to check the status of a certificate of authority previously issued by a certificate authority to the end entity before the relying party enters into the desired electronic transaction requested by the end entity, the method comprising:
receiving at a computing system for the certificate authority or an agent of the certificate authority a query from a relying party's computing system for current status information on a first certificate previously issued by the certificate authority to an end entity, the first certificate having a representation of an issuer name associated with the certificate authority and a subject name associated with the end entity; and
in response to the query, issuing from the certificate authority or the certificate authority's agent a second certificate to the relying party indicating the current status of the first certificate, and the second certificate having a representation of an issuer name that is associated with either the certificate authority or the certificate authority's agent, and the subject name associated with the end entity.
13. In a networking environment in which an end entity such as a customer desires to enter into an electronic transaction with a relying party such as a merchant, a method for permitting the relying party to check the status of a certificate of authority previously issued by a certificate authority to the end entity before the relying party enters into the desired electronic transaction requested by the end entity, the method comprising:
receiving at a relying party's computing system a first transaction request sent from the end entity's computing system, the first transaction request being associated with a first certificate previously issued by a certificate authority's computing system, the first certificate having a representation of an issuer name associated with the certificate authority and a subject name associated with the end entity;
the relying party thereafter communicating with either the certificate authority or an agent of the certificate authority to query for current status information on the first certificate; and
in response to the query, receiving at the relying party's computing system a second certificate from either the certificate authority or the certificate authority's agent, the second certificate indicating the current status of the first certificate, and the second certificate having a representation of an issuer name that is associated with either the certificate authority or the certificate authority's agent, and the subject name associated with the end entity.
1. In a networking environment in which an end entity such as a customer desires to enter into an electronic transaction with a relying party such as a merchant, a computer-readable medium having computer-executable instructions for implementing at one or more operating environments of the network a method for permitting the relying party to check the status of a certificate of authority previously issued by a certificate authority to the end entity before the relying party enters into the desired electronic transaction requested by the end entity, the method comprising:
receiving at a relying party's computing system a first transaction request sent from the end entity's computing system, the first transaction request being associated with a first certificate previously issued by a certificate authority's computing system, the first certificate having a representation of an issuer name associated with the certificate authority and a subject name associated with the end entity;
the relying party thereafter communicating with either the certificate authority or an agent of the certificate authority to query for current status information on the first certificate; and
in response to the query, receiving at the relying party's computing system a second certificate from either the certificate authority or the certificate authority's agent, the second certificate indicating the current status of the first certificate, and the second certificate having a representation of an issuer name that is associated with either the certificate authority or the certificate authority's agent, and the subject name associated with the end entity.
2. The computer-readable medium of
3. The computer-readable medium of
4. The computer-readable medium of
5. The computer-readable medium of
7. The computer-readable medium of
8. The computer-readable medium of
9. The computer-readable medium of
10. The computer-readable medium of
11. The computer-readable medium of
12. The computer-readable medium of
|
This is a continuation of U.S. patent application Ser. No. 09/448,854 filed Nov. 23, 1999.
The present invention generally relates to computer systems, and more particularly to transactions performed over a computer-based network such as intranets or the Internet.
In network transactions, a certificate authority (“CA”) is an entity that issues digitally signed certificates (“digital certificates”) to other entities such as organizations or individuals to allow them to prove their identity to others in financial or other remote transactions. A certificate authority may be an external company such as one which offers digital certificate services, or may be an internal organization such as a corporate MIS department. The certificate authority's chief function is to ascertain whether a subscriber meets the policy criteria for a class of digital certificates and if so, to issue one. A “subscriber” could be a person, a machine, or an executable.
At present, for financial transactions, online customers obtain a digital certificate from a certificate authority or their bank, and send that digital certificate with a signed transaction request (e.g., purchase order) to a merchant. The merchant typically verifies the customer's signature using the public key in the certificate and in the process assures that the digital certificate's status is valid (e.g., not revoked). The X.509 standard (ISO/IEC JTC1/SC 21, Draft Amendments DAM 4 to ISO/IEC 9594-2, DAM 2 to ISO/IEC 9594-6, DAM 1 to ISO/IEC 9594-7, and DAM 1 to ISO/IEC 9594-8 on Certificate Extensions, 1 Dec. 1996) specifies that a way to determine the status of a digital certificate is by using a certificate revocation list (“CRL”). Each certificate authority (or its designated agent) publishes a CRL of digital certificates it has previously issued that are now revoked. The merchant downloads the CRL from the issuing certificate authority and searches the list to make sure that the serial number of the digital certificate in question is not on the list.
CRLs cause a variety of problems, one of which is that that the list of all revoked certificates from the certificate authority may potentially become very large. More importantly, a CRL may not be sufficiently current, (i.e. “fresh enough”), whereby reliance thereon creates unacceptable financial risk. This “freshness problem” is particularly dangerous in high-value transactions.
A merchant may also verify a digital certificate by utilizing an Online Certificate Status Checking Protocol (“OCSP”), a presently proposed standard by which the certificate authority or a verification company makes an independent assertion about a digital certificate's validity. With OCSP like other insurance schemes, financial risk is purposely assumed by the certificate authority or verification company in exchange for a per-transaction fee. The certificate authority or verification company determines if the digital certificate is revoked, and returns a good, revoked or unknown status.
While OCSP is thus potentially more up-to-date than CRL-based solutions, OCSP has a number of economically-motivated peculiarities and limitations that make it less than ideal for many transactions. For example, an OCSP response is essentially an up-to-date one-certificate CRL, returning only either the good, revoked or unknown assertion about a certificate in an entirely new message format. Moreover, OCSP presumes a particular risk management pricing model that attaches a high cost and high liability to the issuance of every certificate status assertion. As such, OCSP depends upon its own three-tier (Client-Certificate Authority-Designated Responder) infrastructure, wherein the number of qualified certificate issuers and designated status responders is highly limited. In typical financial transactions, however, acceptance policy is up to the policy of the party buying the risk, and there is no reason to limit the parties to transactions to the narrow OCSP model, let alone to the simplistic certificate status assertion of good, revoked or unknown.
The present invention is directed to a method and system for using a certificate authority to first provide a customer with a digital certificate, and then having a relying third party who receives that digital certificate from the customer access a status authority (the certificate authority or a designated agent of the certificate authority) to receive a second, reissued digital certificate on the first digital certificate or its public key. The reissued digital certificate has a relatively much shorter validity period than the first certificate, which relies on a certificate's expiring before its assertion could become false. The length of the validity period is determined by an associated risk management equation which includes, for example, the dollar amount of the transaction and the credit-worthiness of the customer.
Moreover, the reissued digital certificate serves as a receipt including an accumulated record of the signatures (digital certificates) and possibly other accumulated evidence throughout the financial transaction. As a result, the receipts generated on each transfer of a transaction adds to the digital chain of evidence, recording each step of the transaction and policy applied thereto, whereby risk may be assumed and charged for appropriately. The present invention is accomplished by simple extensions to existing protocols, i.e., without requiring new overly complex protocols and data structures, and further can return detailed information with each response.
Other advantages will become apparent from the following detailed description when taken in conjunction with the drawings, in which:
Exemplary Operating Environment
Moreover, those skilled in the art will appreciate that the invention may be practiced with other computer system configurations, including hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers and the like. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
With reference to
A number of program modules may be stored on the hard disk, magnetic disk 29, optical disk 31, ROM 24 or RAM 25, including an operating system 35, (including a file system therein and/or associated therewith), one or more application programs 36, other program modules 37 and program data 38. A user may enter commands and information into the personal computer 20 through input devices such as a keyboard 40 and pointing device 42. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner or the like. These and other input devices are often connected to the processing unit 21 through a serial port interface 46 that is coupled to the system bus, but may be connected by other interfaces, such as a parallel port, game port or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface, such as a video adapter 48. In addition to the monitor 47, personal computers typically include other peripheral output devices (not shown), such as speakers and printers.
The personal computer 20 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 49. The remote computer 49 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the personal computer 20, although only a memory storage device 50 has been illustrated in
When used in a LAN networking environment, the personal computer 20 is connected to the local network 51 through a network interface or adapter 53. When used in a WAN networking environment, the personal computer 20 typically includes a modem 54 or other means for establishing communications over the wide area network 52, such as the Internet. The modem 54, which may be internal or external, is connected to the system bus 23 via the serial port interface 46. In a networked environment, program modules depicted relative to the personal computer 20, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
Online Certificate Status Checking in Financial Transactions
While the present invention was originally implemented in a financial environment and thus includes financial-based client and server examples, it should be understood that the present invention is not limited to financial applications, but instead has numerous applications throughout user computing. Moreover, although the various components are shown and described herein as separate components because of certain benefits resulting from separated functionality, it can be readily appreciated that some or all of the components may be combined into more complex components, and/or separated even further into additional components.
In general, the present invention is directed to method and system by which the relying party 62 authenticates the end entity 60 so that a transaction can be entered. Initially, before the transaction can occur, the end entity 60 obtains a digital certificate 64 from a certificate authority 66 (“CA”), as represented in
The certificate authority 66 uses a digital signature scheme (e.g., public key cryptography) to create a binding among some identity information, e.g., the end entity's possession of the private key 67 and the public key 68. The digital certificate 64 comprises a digitally-signed statement about the public/private key pair 68, 67, and is returned to the end entity 60 (the arrow numbered two in
As shown in
In accordance with the present invention and as is described below, after receiving the digital certificate 64, to obtain real-time status information on the certificate 64, the relying party 62 accesses a status authority (i.e., the certificate authority 66 or a designated agent thereof) to receive a second, “reissued” digital certificate on the digital certificate 64. To request real-time status information regarding the digital certificate 64, the relying party's policy evaluation engine 76 requests, via a request message 77 (and the arrow labeled four in
As shown in
The request message 77 may comprise the digital certificate 64, and/or any other prior issued digital certificate or certificates that were submitted by the end entity 60 to the relying party 62. For example, if the relying party wants current information regarding the status of the digital certificate 64, the message delivered to the responder may be exactly the digital certificate 64.
The digital certificate 64 may also be submitted to the certificate authority 66 as the request message 77 for information regarding the status of the public key 68. Some additional information may be added to the digital certificate 64 (e.g., header information) to indicate that a response about the public key 68 is desired, and not a response about the digital certificate 64 carrying the public key.
The public key 68 may also be extracted from the digital certificate 64, and forwarded to the certificate authority as the request message 77 for real-time status of the public key. However, if such a method is used, the request message may need to be distinguished from a request for an original certificate.
The request message 77 may take a variety of different formats, including the formats and protocols of existing industry standards. Slight variations may be required to use some of the existing protocols. For example, the de facto industry standard for requesting a digital certificate for a public/private key pair is defined by a protocol known as the PKCS #10 protocol. PKCS #10 messages are self-signed to provide proof-of-possession of the corresponding private key. In the case of real-time status checking, the requesting party (i.e., the relying party 62) is not normally the same entity as that possessing the key pair in question, and thus does not possess the private key. Thus, if PKCS #10 message format is to be used, the certificate authority 66 is altered so as to receive a public key, an existing digital certificate, or both of these items with additional information. For example, the request could be slightly altered so as to distinguish the request from a standard PKCS #10 message by adding header information or the like identifying the request as a real-time status inquiry of an existing digital certificate or public key.
The request message 77 could also utilize the existing extensibility in the proposed CMS (Cryptographic Message Syntax)-based certificate enrollment protocol known as CMC. In CMC, the Full Enrollment Request message is a signed CMS with commands (zero or more) and enrollment requests (zero or more). The certificates to be checked could be included the CertificateSet portion of a SignedData CMS content payload. That is, the body of the CMS SignedData message becomes simply a data structure of the form:
SEQUENCE OF
SEQUENCE {
id-realtime-status-request
// an OBJECT IDENTIFIER
requestSubject
// a ResponseSubject
}
}
where ResponseSubject is an extension that is added to a digital certificate to create a reissue certificate (described below), and the request for the ResponseSubject, as indicated by “requestSubject”, is an indication that a reissue certificate is requested. The ResponseSubject request provides a reference either to a particular public/private key pair (by referencing the key identifier of a public key), or to a particular certificate, either by a hash of the certificate or by an (issuer name, serial number) pair. The type of request being made, i.e., public key versus certificate, is implicit in the choice of identifier.
In response to the request message 77, the status authority (e.g., the certificate authority 66 via the policy manager 69) issues a “reissue” digital certificate 80 (
An example of the differences between selected various fields of the reissue certificate 80 and the certificate 64 are shown in
In a preferred embodiment, the certificate authority adds to the original digital certificate 64 a new extension 82 indicating that it is a freshness assertion about a public key or a digital certificate. The presence of the extension 82 (which is identified by its own “object identifier” (OID)) can serve as notice that the reissue certificate 80 is a response to a status check. The data contained in the extension 82, called ResponseSubject in the example shown in
ResponseSubject : := SEQUENCE {
keyIdentifier
[0] KeyIdentifier
OPTIONAL,
certIdentifier
[1] CertIdentifier
OPTIONAL,
certIssuer
[2] GeneralNames
OPTIONAL,
certSerialNumber
[3] CertificateSerialNumber
OPTIONAL,
}
KeyIdentifier : := OCTET STRING
CertIdentifier : := SEQUENCE
{
hashAlgorithm
AlgorithmIdentifier,
certHash
CertHash
}
CertHash : := OCTET STRING
As can be seen in the above example, a ResponseSubject extension 82 may include a reference to a particular public key (denoted by keyIdentifier), a reference to a particular digital certificate via hash (certIdentifier), and/or a reference to an issuer/serial-number pair (certIssuer, certSerialNumber). Since the keyIdentifier is presumed to correspond to a SubjectKeyIdentifier contained within the digital certificate 64, there is no need to identify a hash algorithm for it. For the CertIdentifier structure, a certificate hash (algorithm and hash function output) is needed to uniquely identify the digital certificate that is the subject of the response.
In the case of a failure, i.e., rejection, the certificate authority 66 may fail to return a response, although this is not particularly desirable or useful to the relying party 62. Alternatively, the certificate authority 66 may return some other signed statement including information concerning why the status check failed. Another possibility is to add another extension 84 (called “ResponseStatus” in
The certificate authority 66 may choose to add other extensions to the reissue digital certificate 80 as evidence that its policy has been met. For example, an Evidence List extension 84 could be added that contains information regarding the evidence submitted to satisfy the policy of the relying party 62. Additionally, a Certificate Policy extension 86 could be added that includes policy-related information that semantically qualifies the response. Additional extensions could be added to provide desired information with the reissue digital certificate 80.
The reissue certificate 80 is forwarded to the relying party's policy evaluation engine 76, and is combined with the transaction request 72, the digital certificate 64 and any other submitted evidence to make a determination if the information meets the relying party's trust management question. The policy evaluation may include only the above-described real-time status check on the submitted certificate or the underlying public key (
Following the policy evaluation, the relying party's policy evaluation engine 76 generates an acceptance or denial result, and a statement of the decision is returned to the end entity 60, along with the digital reissue certificate 80 and digitally signed signatures 87, if any. This is shown in
After issuing the receipt 88, the relying party 62 may wish to re-sell the transaction to a third party. The buyer in the previous transaction (the relying party 62) then becomes the seller of the transaction, and the previously-issued receipt is now a piece of evidence submitted to the new buyer proving that the old buyer (i.e., the relying party 62) applied its own policy at the time it purchased the transaction. The new buyer of the transaction may then request a new reissue certificate and produce a new receipt, and can sell the transaction to a new party, and so on.
For example,
Party B may then re-sell the transaction T to party C. As above, party B first sends the transaction T to the proposed buyer along with supporting evidence. The evidence submitted by B will ordinarily include both the evidence submitted by party A to party B when party B bought the transaction T, as well as the receipt/certificate Cert2 that party B issued showing that party B's acceptance policy was satisfied. Party C performs its own acceptance policy evaluation and issues receipt/certificate Cert3 as proof of acceptance of the transaction. This new receipt/certificate Cert3, which references the transaction T and receipt/certificates Cert1 and Cert2, is returned to party B to complete the resale of the transaction. A further resale in a similar manner of the transaction T from party C to party D is shown in
At the conclusion of the three sales of the transaction T, party D holds the transaction T and four receipt/certificates—Cert1, Cert2, Cert3 and Cert4. Together, these receipt/certificates detail exactly how transaction T moved among the four parties, what policy decisions were made along the way, and the commitments made by each party in the process. Even after the transaction terminates and no longer exists, the receipts persist and continue to provide evidence. For example, should the transaction T be repudiated at a later date, the signed receipt/certificates may be used to prove or refute a claim. Thus, the set of receipts/certificates generated by every transfer of the transaction forms a digitally-signed chain of evidence binding not only every step of the transaction but also every policy application that happened along the way. Of course, it is feasible to include less information than the total accumulated with each additional transaction.
Turning now to an explanation of the operation of the present invention,
As described above, the real-time status inquiry may be regarding the status of the digital certificate 64, or the status of the underlying public key 68 for the digital certificate. If information regarding the status of the public key 68 is desired, step 704 branches to step 706, where the relying party 62 sends information identifying the public key (“PK”) to the status authority (e.g., the certificate authority 66). As also described above, this information may be, for example, the extracted public key 68, the digital certificate 64 with additional information indicating that a status request regarding the public key is desired, or a command requesting the public key information by hash. At step 708, the certificate authority 66 issues a reissue certificate on the public key 68.
Alternatively, if information regarding the digital certificate 64 is desired, step 704 branches to step 710 where the relying party 62 sends information identifying the digital certificate 64 to the status authority (e.g., the certificate authority 66). As described above, this information may include, for example, the digital certificate 64, the issuer name and serial number for the digital certificate, or other sufficient information to identify the digital certificate 64. The certificate authority 66 issues a reissue certificate (e.g., the reissue certificate 80) on the digital certificate 64.
At step 714, a determination is made, for example by the relying party's policy evaluation engine 76, as to whether the relying party's policy is met. As described above, this inquiry may include only the real-time status check of the digital certificate 64, or may additionally include local inquiries regarding the transaction or the end entity 60. If the relying party's policy is not met, step 714 branches to step 716 where the reissue certificate (“RC”) and a message informing the end entity 60 of the rejection of the requested transaction is forwarded to the end entity.
If, however, the relying party's policy is met, step 714 branches to step 718 where the reissue certificate 80 and relying party policy information are combined to form a receipt. The receipt is forwarded to the end entity 60 in step 720.
As can be seen from the above detailed description, there is provided a system and method for certificate re-issuance to validate a transaction. The system and method may be accomplished via extensions to existing protocols, and further allow receipts including policy information to be generated with each transaction. The present invention may be implemented independent of the underlying form of public key infrastructure, and without reliance on a limited number of qualified certificate issuers and designated status responders. With the present invention, response to a real-time status check is a risk transference just like certificate issuance.
While the invention is susceptible to various modifications and alternative constructions, a certain illustrated embodiment thereof is shown in the drawings and has been described above in detail. It should be understood, however, that there is no intention to limit the invention to the specific form or forms disclosed, but on the contrary, the intention is to cover all modifications, alternative constructions, and equivalents falling within the spirit and scope of the invention.
Fox, Barbara L., LaMacchia, Brian A.
Patent | Priority | Assignee | Title |
7747852, | Sep 01 2000 | Northrop Grumman Systems Corporation | Chain of trust processing |
7899722, | Mar 20 2001 | REGULATORY DATACORP, INC | Correspondent bank registry |
8121937, | Mar 20 2001 | REGULATORY DATACORP, INC | Gaming industry risk management clearinghouse |
8140415, | Mar 20 2001 | REGULATORY DATACORP, INC | Automated global risk management |
8209246, | Mar 20 2001 | REGULATORY DATACORP, INC | Proprietary risk management clearinghouse |
8522035, | Sep 20 2011 | Malikie Innovations Limited | Assisted certificate enrollment |
8762191, | Jul 02 2004 | REGULATORY DATACORP, INC | Systems, methods, apparatus, and schema for storing, managing and retrieving information |
8843411, | Mar 20 2001 | REGULATORY DATACORP, INC | Gaming industry risk management clearinghouse |
8909934, | Sep 20 2011 | Malikie Innovations Limited | Assisted certificate enrollment |
8996481, | Jul 02 2004 | REGULATORY DATACORP, INC | Method, system, apparatus, program code and means for identifying and extracting information |
9058581, | Jul 02 2004 | REGULATORY DATACORP, INC | Systems and methods for managing information associated with legal, compliance and regulatory risk |
9063985, | Jul 02 2004 | REGULATORY DATACORP, INC | Method, system, apparatus, program code and means for determining a redundancy of information |
Patent | Priority | Assignee | Title |
4885777, | Sep 04 1985 | Hitachi, Ltd. | Electronic transaction system |
5497422, | Sep 30 1993 | Apple Inc | Message protection mechanism and graphical user interface therefor |
5560008, | May 15 1989 | International Business Machines Corporation; INTERNATIONAL BUSINESS MACHINES CORPORATION, A CORP OF NY | Remote authentication and authorization in a distributed data processing system |
5717758, | Nov 02 1995 | ASSA ABLOY AB | Witness-based certificate revocation system |
5774552, | Dec 13 1995 | NCR Corporation | Method and apparatus for retrieving X.509 certificates from an X.500 directory |
5815571, | Oct 28 1996 | Computer system with secured data paths and method of protection | |
5892905, | Dec 23 1996 | International Business Machines Corporation | Computer apparatus and method for providing a common user interface for software applications accessed via the world-wide web |
5903882, | Dec 13 1996 | Certco, LLC | Reliance server for electronic transaction system |
5915087, | Dec 12 1996 | McAfee, LLC | Transparent security proxy for unreliable message exchange protocols |
5922074, | Feb 28 1997 | EMC IP HOLDING COMPANY LLC | Method of and apparatus for providing secure distributed directory services and public key infrastructure |
5925126, | Mar 18 1997 | Memco Software, Ltd. | Method for security shield implementation in computer system's software |
5958050, | Sep 24 1996 | Electric Communities | Trusted delegation system |
5960084, | Dec 13 1996 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | Secure method for enabling/disabling power to a computer system following two-piece user verification |
5978484, | Apr 25 1996 | Microsoft Technology Licensing, LLC | System and method for safety distributing executable objects |
5987608, | May 13 1997 | Meta Platforms, Inc | Java security mechanism |
5991877, | Apr 03 1997 | Lockheed Martin Corporation | Object-oriented trusted application framework |
6002768, | May 07 1996 | International Computer Science Institute | Distributed registration and key distribution system and method |
6023764, | Oct 20 1997 | International Business Machines Corporation | Method and apparatus for providing security certificate management for Java Applets |
6044462, | Apr 02 1997 | PERIMETER LABS, INC | Method and apparatus for managing key revocation |
6101255, | Apr 30 1997 | GENERAL DYNAMICS ADVANCED INFORMATION SYSTEMS, INC; GENERAL DYNAMICS MISSION SYSTEMS, INC | Programmable cryptographic processing system and method |
6105012, | Apr 22 1997 | Oracle America, Inc | Security system and method for financial institution server and client web browser |
6105134, | Apr 03 1995 | Scientific-Atlanta, LLC | Verification of the source of program information in a conditional access system |
6108788, | Dec 08 1997 | ENTRUST, INC ; Entrust Technologies Limited | Certificate management system and method for a communication security system |
6163772, | Jun 17 1996 | Hewlett Packard Enterprise Development LP | Virtual point of sale processing using gateway-initiated messages |
6230266, | Feb 03 1999 | Oracle America, Inc | Authentication system and process |
6285991, | Dec 13 1996 | Visa International Service Association | Secure interactive electronic account statement delivery system |
6532540, | May 14 1996 | AXWAY INC | Apparatus and method for demonstrating and confirming the status of a digital certificates and other data |
6564319, | Dec 29 1997 | IBM Corporation | Technique for compressing digital certificates for use in smart cards |
6615347, | Jun 30 1998 | DIGICERT, INC | Digital certificate cross-referencing |
6842863, | Nov 23 1999 | Microsoft Technology Licensing, LLC | Certificate reissuance for checking the status of a certificate in financial transactions |
20010011255, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Nov 18 1999 | LAMACCHIA, BRIAN A | Microsoft Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018253 | /0919 | |
Nov 23 1999 | FOX, BARBARA L | Microsoft Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018253 | /0919 | |
Jan 10 2005 | Microsoft Corporation | (assignment on the face of the patent) | / | |||
Oct 14 2014 | Microsoft Corporation | Microsoft Technology Licensing, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 034543 | /0001 |
Date | Maintenance Fee Events |
Feb 17 2009 | ASPN: Payor Number Assigned. |
Aug 28 2012 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Sep 01 2016 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Nov 02 2020 | REM: Maintenance Fee Reminder Mailed. |
Apr 19 2021 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Mar 17 2012 | 4 years fee payment window open |
Sep 17 2012 | 6 months grace period start (w surcharge) |
Mar 17 2013 | patent expiry (for year 4) |
Mar 17 2015 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 17 2016 | 8 years fee payment window open |
Sep 17 2016 | 6 months grace period start (w surcharge) |
Mar 17 2017 | patent expiry (for year 8) |
Mar 17 2019 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 17 2020 | 12 years fee payment window open |
Sep 17 2020 | 6 months grace period start (w surcharge) |
Mar 17 2021 | patent expiry (for year 12) |
Mar 17 2023 | 2 years to revive unintentionally abandoned end. (for year 12) |